# COM S 687 Introduction to Cryptography October 19, 2006

Save this PDF as:

Size: px
Start display at page:

## Transcription

1 COM S 687 Introduction to Cryptography October 19, 2006 Lecture 16: Non-Malleability and Public Key Encryption Lecturer: Rafael Pass Scribe: Michael George 1 Non-Malleability Until this point we have discussed encryptions that prevent a passive attacker from discovering any information about messages that are sent. In some situations, however, we may want to prevent an attacker from creating a new message from a given encryption. Consider an auction for example. Suppose the Bidder Bob is trying to send a message containing his bid to the Auctioneer Alice. Private key encryption could prevent an attacker Eve from knowing what Bob bids, but if she could construct a message that contained one more than Bob s bid, then she could win the auction. We say that an encryption scheme that prevents these kinds of attacks is non-malleable. Informally, if a scheme is non-malleable, then it is impossible to output an encrypted message containing any function of a given encrypted message. Formally, we have the following definition: Definition 1 (Non-Malleability) Let (Gen, Enc, Dec) be an encryption scheme. Let NM(m, A) be the output of the following experiment: 1. k Gen(1 m ) 2. c Enc k (m) 3. c 1, c 2, c 3,..., c l A(c, 1 m ) 4. m i if c i = c and Dec k (c i ) otherwise 5. output (m 1, m 2,...,m l ) Then (Gen, Enc, Dec) is non-malleable if for every non-uniform PPT A, and for every non-uniform PPT D, there exists a negligible ǫ such that for all m 0, m 1 {0, 1} n, Pr [D(NM(m 0, A)) = 1] Pr [D(NM(m 1, A)) = 1] ǫ(n) One non-trivial aspect of this definition is the conversion to of queries that have already been made (step 4). Clearly without this, the definition would be trivially unsatisfiable, because the attacker could simply forge the encryptions that they have already seen by replaying them. 16-1

2 1.1 Relation Based Non-Malleability We chose this definition because it mirrors our definition of secrecy in a satisfying way. However, an earlier and arguably more natural definition can be given by formalizing the intuitive notion that the attacker cannot output an encryption of a message that is related to a given message. For example, we might consider the relation R next (x) = {x + 1}, or the relation R within-one (x) = {x 1, x, x + 1}. We want to ensure that the encryption of x doesn t help the attacker encrypt an element of R(x). Formally: Definition 2 (Relation Based Non-Malleability) We say that an encryption scheme (Gen, Enc, Dec) is relation based non-malleable if for every PPT adversary A there exists a PPT simulator S such that for all PPT-recognizable relations R, there exists a negligible ǫ such that for all m M with m = n, and for all z, it holds that Pr[NM(A(z), m) R(m)] Pr[k Gen(1 n ); c S(1 n, z); m = Dec k (c) : m R(m)] where i ranges from 1 to a polynomial of n and NM is defined as above. This definition is equivalent to the non-relational definition given above. < ǫ Theorem 1 (Enc, Dec, Gen) is a non-malleable encryption scheme if and only if it is a relation-based non-malleable encryption scheme. Proof. ( ) Assume that the scheme is non-malleable by the first definition. For any given adversary A, we need to produce a simulator S that hits any given relation R as often as A does. Let S be the machine that performs the first 3 steps of NM(A(z), m ) and outputs the sequence of cyphertexts, and let D be the distinguisher for the relation R. Then Pr[NM(A(z), m) R(m)] Pr[k Gen(1 n ); c S(1 n, z); m = Dec k (c) : m R(m)] = Pr[D(NM(A(z), m))] Pr[D(NM(A(z), m ))] ǫ as required. ( ) Now, assume that the scheme is relation-based non-malleable. Given an adversary A, we know there exists a simulator S that outputs related encryptions as well as A does. The relation-based definition tells us that NM(A(z), m 0 ) Dec(S()) and Dec(S()) NM(A(z), m 1 ). Thus, by the polynomial jump lemma, NM(A(z), m 0 ) NM(A(z), m 1 ) which is the first definition of non-malleability. 16-2

3 1.2 Non-Malleability and Secrecy Note that non-malleability is a distinct concept from secrecy. For example, one-time pad is perfectly secret, yet is not non-malleable (since one can easily produce the encryption of a b give then encryption of a, for example). However, if we consider CCA2 attacks, then the two definitions coincide. Theorem 2 An encryption scheme Σ = (Enc, Dec, Gen) is CCA2 secret if and only if it is CCA2 non-malleable Proof sketch. If Σ is not CCA2 non-malleable, then a CCA2 attacker can break secrecy by changing the provided encryption into a related encryption, using the decryption oracle on the related message, and then distinguishing the unencrypted related messages. Similarly, if Σ is not CCA2 secret, then a CCA2 attacker can break non-malleability by simply decrypting the cyphertext, applying a function, and then re-encrypting the modified message. 2 Public Key Encryption Thus far we have considered private key encryption schemes where the encrypter and the decrypter share a common secret. This means that they are forced to meet in advance and agree on a secret. Ideally, we would like to drop this requirement. At first blush this seems impossible. Certainly the decryptor needs a key or else there is nothing preventing an attacker from doing the same thing that the decryptor does. Moreover, the encryptor needs the key because otherwise the key cannot help to decrypt the cyphertext. The flaw in this argument is that there is no need for the encrypter and the decryptor to have the same key, and in fact this is how public key cryptography works. We split the key into a secret decryption key S k and a public encryption key P k. The public key is published in a secure repository, where anyone can use it to encrypt messages. The private key is kept by the recipient, so that only she can decrypt. We define a public key encryption scheme as follows: Definition 3 (public key encryption scheme) A triple (Gen, Enc, Dec) is a public key encryption scheme over a message space M if 1. Gen is a PPT that outputs a pair P k, S k 2. Enc is a PPT that given P k and m produces a cyphertext c 16-3

4 3. Dec is a PPT that given c and S k produces a message m 4. For all m M and for all p k, s k Gen(1 k ), Dec Sk (Enc Pk (m)) = m Definition 4 (Secure PK Encryption) We say that a public key encryption scheme is secure if for every non-uniform PPT A, there exists a negligible ǫ such that for all messages m 0 and m 1 with m 0 = m 1, it holds that Pr[P k, S k Gen(1 n ) : A(P k, Enc Pk (m 0 )) = 1] Pr[P k, S k Gen(1 n ) : A(P k, Enc Pk (m 1 )) = 1] ǫ These definitions can be extended in a straightforward manner to get appropriate definitions for CPA security, as well as CCA1 and CCA2 security. Since the public key is available to the attacker, CPA security comes almost for free, but CCA1 and CCA2 secure schemes are much harder to come by. With these definitions, there are some immediate impossibility results: perfect secrecy it is clearly impossible to do perfect public-key secrecy, since an unbounded adversary could simply encrypt every message with every random string and lookup the cyphertext deterministic encryption it is impossible to have a deterministic encryption algorithm, because with a deterministic encryption algorithm, the encrypt and compare strategy easily distinguishes between messages. In addition, it is a straightforward excercise to show that single-message security implies many-message security. 2.1 Constructing a PK encryption system Trapdoor permutations seem to fit the requirements for a public key cryptosystem. We could let the public key be the index i of the function to apply, and the private key be the trapdoor t. Then we might consider Enc(m, i) = f i (m), and Dec(c, i, t) = fi 1 (c). This makes it easy to encrypt, and easy to decrypt with the public key, and hard to decrypt without. Using the RSA function defined in lecture 7, this construction yields the commonly used RSA cryptosystem. However, according to our definition, this construction does not yield a secure encryption scheme. In particular, it is deterministic, so it is subject to comparison attacks. A better scheme (for single-bit messages) is to let Enc(x, i) = {r {0, 1} n : f i (r), b(r) m } 16-4

5 where b is a hardcore bit for f. This scheme is secure, because distinguishing encryptions of 0 and 1 is essentially the same as recognizing the hardcore bit of a OWP, which we have argued is infeasible. 16-5

### Lecture 10: CPA Encryption, MACs, Hash Functions. 2 Recap of last lecture - PRGs for one time pads

CS 7880 Graduate Cryptography October 15, 2015 Lecture 10: CPA Encryption, MACs, Hash Functions Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Chosen plaintext attack model of security MACs

### 1 Domain Extension for MACs

CS 127/CSCI E-127: Introduction to Cryptography Prof. Salil Vadhan Fall 2013 Reading. Lecture Notes 17: MAC Domain Extension & Digital Signatures Katz-Lindell Ÿ4.34.4 (2nd ed) and Ÿ12.0-12.3 (1st ed).

### 1 Message Authentication

Theoretical Foundations of Cryptography Lecture Georgia Tech, Spring 200 Message Authentication Message Authentication Instructor: Chris Peikert Scribe: Daniel Dadush We start with some simple questions

### 1 Construction of CCA-secure encryption

CSCI 5440: Cryptography Lecture 5 The Chinese University of Hong Kong 10 October 2012 1 Construction of -secure encryption We now show how the MAC can be applied to obtain a -secure encryption scheme.

### 1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6.

1 Digital Signatures A digital signature is a fundamental cryptographic primitive, technologically equivalent to a handwritten signature. In many applications, digital signatures are used as building blocks

### Lecture 3: One-Way Encryption, RSA Example

ICS 180: Introduction to Cryptography April 13, 2004 Lecturer: Stanislaw Jarecki Lecture 3: One-Way Encryption, RSA Example 1 LECTURE SUMMARY We look at a different security property one might require

### Lecture 15 - Digital Signatures

Lecture 15 - Digital Signatures Boaz Barak March 29, 2010 Reading KL Book Chapter 12. Review Trapdoor permutations - easy to compute, hard to invert, easy to invert with trapdoor. RSA and Rabin signatures.

### Fuzzy Identity-Based Encryption

Fuzzy Identity-Based Encryption Janek Jochheim June 20th 2013 Overview Overview Motivation (Fuzzy) Identity-Based Encryption Formal definition Security Idea Ingredients Construction Security Extensions

### 1 Signatures vs. MACs

CS 120/ E-177: Introduction to Cryptography Salil Vadhan and Alon Rosen Nov. 22, 2006 Lecture Notes 17: Digital Signatures Recommended Reading. Katz-Lindell 10 1 Signatures vs. MACs Digital signatures

### Introduction. Digital Signature

Introduction Electronic transactions and activities taken place over Internet need to be protected against all kinds of interference, accidental or malicious. The general task of the information technology

### Identity-based Encryption with Post-Challenge Auxiliary Inputs for Secure Cloud Applications and Sensor Networks

Identity-based Encryption with Post-Challenge Auxiliary Inputs for Secure Cloud Applications and Sensor Networks Tsz Hon Yuen - Huawei, Singapore Ye Zhang - Pennsylvania State University, USA Siu Ming

### Key Privacy for Identity Based Encryption

Key Privacy for Identity Based Encryption Internet Security Research Lab Technical Report 2006-2 Jason E. Holt Internet Security Research Lab Brigham Young University c 2006 Brigham Young University March

### Computational Soundness of Symbolic Security and Implicit Complexity

Computational Soundness of Symbolic Security and Implicit Complexity Bruce Kapron Computer Science Department University of Victoria Victoria, British Columbia NII Shonan Meeting, November 3-7, 2013 Overview

### Talk announcement please consider attending!

Talk announcement please consider attending! Where: Maurer School of Law, Room 335 When: Thursday, Feb 5, 12PM 1:30PM Speaker: Rafael Pass, Associate Professor, Cornell University, Topic: Reasoning Cryptographically

### Authenticated encryption

Authenticated encryption Dr. Enigma Department of Electrical Engineering & Computer Science University of Central Florida wocjan@eecs.ucf.edu October 16th, 2013 Active attacks on CPA-secure encryption

### Lecture 9 - Message Authentication Codes

Lecture 9 - Message Authentication Codes Boaz Barak March 1, 2010 Reading: Boneh-Shoup chapter 6, Sections 9.1 9.3. Data integrity Until now we ve only been interested in protecting secrecy of data. However,

### Digital Signatures. Prof. Zeph Grunschlag

Digital Signatures Prof. Zeph Grunschlag (Public Key) Digital Signatures PROBLEM: Alice would like to prove to Bob, Carla, David,... that has really sent them a claimed message. E GOAL: Alice signs each

### Lecture 5 - CPA security, Pseudorandom functions

Lecture 5 - CPA security, Pseudorandom functions Boaz Barak October 2, 2007 Reading Pages 82 93 and 221 225 of KL (sections 3.5, 3.6.1, 3.6.2 and 6.5). See also Goldreich (Vol I) for proof of PRF construction.

### Victor Shoup Avi Rubin. fshoup,rubing@bellcore.com. Abstract

Session Key Distribution Using Smart Cards Victor Shoup Avi Rubin Bellcore, 445 South St., Morristown, NJ 07960 fshoup,rubing@bellcore.com Abstract In this paper, we investigate a method by which smart

### Overview of Public-Key Cryptography

CS 361S Overview of Public-Key Cryptography Vitaly Shmatikov slide 1 Reading Assignment Kaufman 6.1-6 slide 2 Public-Key Cryptography public key public key? private key Alice Bob Given: Everybody knows

### CIS 5371 Cryptography. 8. Encryption --

CIS 5371 Cryptography p y 8. Encryption -- Asymmetric Techniques Textbook encryption algorithms In this chapter, security (confidentiality) is considered in the following sense: All-or-nothing secrecy.

### Message Authentication Code

Message Authentication Code Ali El Kaafarani Mathematical Institute Oxford University 1 of 44 Outline 1 CBC-MAC 2 Authenticated Encryption 3 Padding Oracle Attacks 4 Information Theoretic MACs 2 of 44

### The application of prime numbers to RSA encryption

The application of prime numbers to RSA encryption Prime number definition: Let us begin with the definition of a prime number p The number p, which is a member of the set of natural numbers N, is considered

### Lecture 7: Hashing III: Open Addressing

Lecture 7: Hashing III: Open Addressing Lecture Overview Open Addressing, Probing Strategies Uniform Hashing, Analysis Cryptographic Hashing Readings CLRS Chapter.4 (and.3.3 and.5 if interested) Open Addressing

### CryptoVerif Tutorial

CryptoVerif Tutorial Bruno Blanchet INRIA Paris-Rocquencourt bruno.blanchet@inria.fr November 2014 Bruno Blanchet (INRIA) CryptoVerif Tutorial November 2014 1 / 14 Exercise 1: preliminary definition SUF-CMA

### MAC. SKE in Practice. Lecture 5

MAC. SKE in Practice. Lecture 5 Active Adversary Active Adversary An active adversary can inject messages into the channel Active Adversary An active adversary can inject messages into the channel Eve

### MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC

MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC by Brittanney Jaclyn Amento A Thesis Submitted to the Faculty of The Charles E. Schmidt College of Science in Partial

MACs Message authentication and integrity Foundations of Cryptography Computer Science Department Wellesley College Table of contents Introduction MACs Constructing Secure MACs Secure communication and

### MTAT.07.003 Cryptology II. Digital Signatures. Sven Laur University of Tartu

MTAT.07.003 Cryptology II Digital Signatures Sven Laur University of Tartu Formal Syntax Digital signature scheme pk (sk, pk) Gen (m, s) (m,s) m M 0 s Sign sk (m) Ver pk (m, s)? = 1 To establish electronic

### Message Authentication Codes 133

Message Authentication Codes 133 CLAIM 4.8 Pr[Mac-forge A,Π (n) = 1 NewBlock] is negligible. We construct a probabilistic polynomial-time adversary A who attacks the fixed-length MAC Π and succeeds in

### Authentication and Encryption: How to order them? Motivation

Authentication and Encryption: How to order them? Debdeep Muhopadhyay IIT Kharagpur Motivation Wide spread use of internet requires establishment of a secure channel. Typical implementations operate in

### Lecture 11: The Goldreich-Levin Theorem

COM S 687 Introduction to Cryptography September 28, 2006 Lecture 11: The Goldreich-Levin Theorem Instructor: Rafael Pass Scribe: Krishnaprasad Vikram Hard-Core Bits Definition: A predicate b : {0, 1}

### Multi-Input Functional Encryption for Unbounded Arity Functions

Multi-Input Functional Encryption for Unbounded Arity Functions Saikrishna Badrinarayanan, Divya Gupta, Abhishek Jain, and Amit Sahai Abstract. The notion of multi-input functional encryption (MI-FE) was

### Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures

Outline Computer Science 418 Digital Signatures Mike Jacobson Department of Computer Science University of Calgary Week 12 1 Digital Signatures 2 Signatures via Public Key Cryptosystems 3 Provable 4 Mike

### Digital Signatures. What are Signature Schemes?

Digital Signatures Debdeep Mukhopadhyay IIT Kharagpur What are Signature Schemes? Provides message integrity in the public key setting Counter-parts of the message authentication schemes in the public

### Cryptography. Jonathan Katz, University of Maryland, College Park, MD 20742.

Cryptography Jonathan Katz, University of Maryland, College Park, MD 20742. 1 Introduction Cryptography is a vast subject, addressing problems as diverse as e-cash, remote authentication, fault-tolerant

### Public Key Cryptography: RSA and Lots of Number Theory

Public Key Cryptography: RSA and Lots of Number Theory Public vs. Private-Key Cryptography We have just discussed traditional symmetric cryptography: Uses a single key shared between sender and receiver

### Post-Quantum Cryptography #4

Post-Quantum Cryptography #4 Prof. Claude Crépeau McGill University http://crypto.cs.mcgill.ca/~crepeau/waterloo 185 ( 186 Attack scenarios Ciphertext-only attack: This is the most basic type of attack

### Lecture 2: Complexity Theory Review and Interactive Proofs

600.641 Special Topics in Theoretical Cryptography January 23, 2007 Lecture 2: Complexity Theory Review and Interactive Proofs Instructor: Susan Hohenberger Scribe: Karyn Benson 1 Introduction to Cryptography

### New Efficient Searchable Encryption Schemes from Bilinear Pairings

International Journal of Network Security, Vol.10, No.1, PP.25 31, Jan. 2010 25 New Efficient Searchable Encryption Schemes from Bilinear Pairings Chunxiang Gu and Yuefei Zhu (Corresponding author: Chunxiang

### Security Aspects of. Database Outsourcing. Vahid Khodabakhshi Hadi Halvachi. Dec, 2012

Security Aspects of Database Outsourcing Dec, 2012 Vahid Khodabakhshi Hadi Halvachi Security Aspects of Database Outsourcing Security Aspects of Database Outsourcing 2 Outline Introduction to Database

### Non-interactive and Reusable Non-malleable Commitment Schemes

Non-interactive and Reusable Non-malleable Commitment Schemes Ivan Damgård a Jens Groth b June 16, 2003 Abstract We consider non-malleable (NM) and universally composable (UC) commitment schemes in the

### Yale University Department of Computer Science

Yale University Department of Computer Science On Backtracking Resistance in Pseudorandom Bit Generation (preliminary version) Michael J. Fischer Michael S. Paterson Ewa Syta YALEU/DCS/TR-1466 October

### a Course in Cryptography

a Course in Cryptography rafael pass abhi shelat c 2010 Pass/shelat All rights reserved Printed online 11 11 11 11 11 15 14 13 12 11 10 9 First edition: June 2007 Second edition: September 2008 Third edition:

### Cryptography. Identity-based Encryption. Jean-Sébastien Coron and David Galindo. May 15, 2014. Université du Luxembourg

Identity-based Encryption Université du Luxembourg May 15, 2014 Summary Identity-Based Encryption (IBE) What is Identity-Based Encryption? Difference with conventional PK cryptography. Applications of

### 9 Modular Exponentiation and Cryptography

9 Modular Exponentiation and Cryptography 9.1 Modular Exponentiation Modular arithmetic is used in cryptography. In particular, modular exponentiation is the cornerstone of what is called the RSA system.

### Proofs in Cryptography

Proofs in Cryptography Ananth Raghunathan Abstract We give a brief overview of proofs in cryptography at a beginners level. We briefly cover a general way to look at proofs in cryptography and briefly

### Ch.9 Cryptography. The Graduate Center, CUNY.! CSc 75010 Theoretical Computer Science Konstantinos Vamvourellis

Ch.9 Cryptography The Graduate Center, CUNY! CSc 75010 Theoretical Computer Science Konstantinos Vamvourellis Why is Modern Cryptography part of a Complexity course? Short answer:! Because Modern Cryptography

### Identity-based encryption and Generic group model (work in progress) Peeter Laud Arvutiteaduse teooriaseminar Tallinn, 05.01.2012

Identity-based encryption and Generic group model (work in progress) Peeter Laud Arvutiteaduse teooriaseminar Tallinn, 05.01.2012 Identity-based encryption Public-key encryption, where public key = name

### Lecture 2: Universality

CS 710: Complexity Theory 1/21/2010 Lecture 2: Universality Instructor: Dieter van Melkebeek Scribe: Tyson Williams In this lecture, we introduce the notion of a universal machine, develop efficient universal

### Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs

Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs Enes Pasalic University of Primorska Koper, 2014 Contents 1 Preface 3 2 Problems 4 2 1 Preface This is a

### Introduction to Cryptography CS 355

Introduction to Cryptography CS 355 Lecture 30 Digital Signatures CS 355 Fall 2005 / Lecture 30 1 Announcements Wednesday s lecture cancelled Friday will be guest lecture by Prof. Cristina Nita- Rotaru

### Cryptography. Lecture Notes from CS276, Spring 2009. Luca Trevisan Stanford University

Cryptography Lecture Notes from CS276, Spring 2009 Luca Trevisan Stanford University Foreword These are scribed notes from a graduate course on Cryptography offered at the University of California, Berkeley,

### DIGITAL SIGNATURES 1/1

DIGITAL SIGNATURES 1/1 Signing by hand COSMO ALICE ALICE Pay Bob \$100 Cosmo Alice Alice Bank =? no Don t yes pay Bob 2/1 Signing electronically Bank Internet SIGFILE } {{ } 101 1 ALICE Pay Bob \$100 scan

### Lecture 13: Message Authentication Codes

Lecture 13: Message Authentication Codes Last modified 2015/02/02 In CCA security, the distinguisher can ask the library to decrypt arbitrary ciphertexts of its choosing. Now in addition to the ciphertexts

### The Order of Encryption and Authentication for Protecting Communications (Or: How Secure is SSL?)

The Order of Encryption and Authentication for Protecting Communications (Or: How Secure is SSL?) Hugo Krawczyk Abstract. We study the question of how to generically compose symmetric encryption and authentication

### Chosen-Ciphertext Security from Identity-Based Encryption

Chosen-Ciphertext Security from Identity-Based Encryption Dan Boneh Ran Canetti Shai Halevi Jonathan Katz Abstract We propose simple and efficient CCA-secure public-key encryption schemes (i.e., schemes

### Lecture 13: Factoring Integers

CS 880: Quantum Information Processing 0/4/0 Lecture 3: Factoring Integers Instructor: Dieter van Melkebeek Scribe: Mark Wellons In this lecture, we review order finding and use this to develop a method

### Secure Computation Without Authentication

Secure Computation Without Authentication Boaz Barak 1, Ran Canetti 2, Yehuda Lindell 3, Rafael Pass 4, and Tal Rabin 2 1 IAS. E:mail: boaz@ias.edu 2 IBM Research. E-mail: {canetti,talr}@watson.ibm.com

### RSA and Primality Testing

and Primality Testing Joan Boyar, IMADA, University of Southern Denmark Studieretningsprojekter 2010 1 / 81 Correctness of cryptography cryptography Introduction to number theory Correctness of with 2

### RSA Encryption. Tom Davis tomrdavis@earthlink.net http://www.geometer.org/mathcircles October 10, 2003

RSA Encryption Tom Davis tomrdavis@earthlink.net http://www.geometer.org/mathcircles October 10, 2003 1 Public Key Cryptography One of the biggest problems in cryptography is the distribution of keys.

### Definitions for Predicate Encryption

Definitions for Predicate Encryption Giuseppe Persiano Dipartimento di Informatica, Università di Salerno, Italy giuper@dia.unisa.it Thursday 12 th April, 2012 Cryptographic Proofs 1 Content Results on

Family Name:... First Name:... Section:... Advanced Cryptography Final Exam July 18 th, 2006 Start at 9:15, End at 12:00 This document consists of 12 pages. Instructions Electronic devices are not allowed.

### Department Informatik. Privacy-Preserving Email Forensics. Technical Reports / ISSN 2191-5008. Frederik Armknecht, Andreas Dewald

Department Informatik Technical Reports / ISSN 2191-5008 Frederik Armknecht, Andreas Dewald Privacy-Preserving Email Forensics Technical Report CS-2015-03 April 2015 Please cite as: Frederik Armknecht,

### Threshold Identity Based Encryption Scheme without Random Oracles

WCAN 2006 Threshold Identity Based Encryption Scheme without Random Oracles Jin Li School of Mathematics and Computational Science Sun Yat-sen University Guangzhou, P.R. China Yanming Wang Lingnan College

### Chosen-Ciphertext Security from Identity-Based Encryption

Chosen-Ciphertext Security from Identity-Based Encryption Dan Boneh Ran Canetti Shai Halevi Jonathan Katz June 13, 2006 Abstract We propose simple and efficient CCA-secure public-key encryption schemes

### Cryptography and Network Security Chapter 9

Cryptography and Network Security Chapter 9 Fifth Edition by William Stallings Lecture slides by Lawrie Brown (with edits by RHB) Chapter 9 Public Key Cryptography and RSA Every Egyptian received two names,

### Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption

Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption Ronald Cramer Victor Shoup December 12, 2001 Abstract We present several new and fairly practical public-key

### Lecture 17: Re-encryption

600.641 Special Topics in Theoretical Cryptography April 2, 2007 Instructor: Susan Hohenberger Lecture 17: Re-encryption Scribe: Zachary Scott Today s lecture was given by Matt Green. 1 Motivation Proxy

### Hierarchical Group Signatures

Hierarchical Group Signatures Mårten Trolin and Douglas Wikström March 22, 2005 Abstract We introduce the notion of hierarchical group signatures. This is a proper generalization of group signatures, which

### Leakage-Resilient Authentication and Encryption from Symmetric Cryptographic Primitives

Leakage-Resilient Authentication and Encryption from Symmetric Cryptographic Primitives Olivier Pereira Université catholique de Louvain ICTEAM Crypto Group B-1348, Belgium olivier.pereira@uclouvain.be

### Keywords: Authentication, Third party audit, cloud storage, cloud service provider, Access control.

Volume 5, Issue 3, March 2015 ISSN: 2277 128X International Journal of Advanced Research in Computer Science and Software Engineering Research Paper Available online at: www.ijarcsse.com Identity Based

### 3-6 Toward Realizing Privacy-Preserving IP-Traceback

3-6 Toward Realizing Privacy-Preserving IP-Traceback The IP-traceback technology enables us to trace widely spread illegal users on Internet. However, to deploy this attractive technology, some problems

### Key Agreement from Close Secrets over Unsecured Channels Winter 2010

Key Agreement from Close Secrets over Unsecured Channels Winter 2010 Andreas Keller Contens 1. Motivation 2. Introduction 3. Building Blocks 4. Protocol Extractor Secure Sketches (MAC) message authentication

### Identity-Based Encryption from the Weil Pairing

Appears in SIAM J. of Computing, Vol. 32, No. 3, pp. 586-615, 2003. An extended abstract of this paper appears in the Proceedings of Crypto 2001, volume 2139 of Lecture Notes in Computer Science, pages

### CSC474/574 - Information Systems Security: Homework1 Solutions Sketch

CSC474/574 - Information Systems Security: Homework1 Solutions Sketch February 20, 2005 1. Consider slide 12 in the handout for topic 2.2. Prove that the decryption process of a one-round Feistel cipher

### Discrete Mathematics, Chapter 4: Number Theory and Cryptography

Discrete Mathematics, Chapter 4: Number Theory and Cryptography Richard Mayr University of Edinburgh, UK Richard Mayr (University of Edinburgh, UK) Discrete Mathematics. Chapter 4 1 / 35 Outline 1 Divisibility

### 8.1 Makespan Scheduling

600.469 / 600.669 Approximation Algorithms Lecturer: Michael Dinitz Topic: Dynamic Programing: Min-Makespan and Bin Packing Date: 2/19/15 Scribe: Gabriel Kaptchuk 8.1 Makespan Scheduling Consider an instance

### Cryptography and Network Security, PART IV: Reviews, Patches, and11.2012 Theory 1 / 53

Cryptography and Network Security, PART IV: Reviews, Patches, and Theory Timo Karvi 11.2012 Cryptography and Network Security, PART IV: Reviews, Patches, and11.2012 Theory 1 / 53 Key Lengths I The old

### Textbook: Introduction to Cryptography 2nd ed. By J.A. Buchmann Chap 12 Digital Signatures

Textbook: Introduction to Cryptography 2nd ed. By J.A. Buchmann Chap 12 Digital Signatures Department of Computer Science and Information Engineering, Chaoyang University of Technology 朝 陽 科 技 大 學 資 工

### SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1

SYMMETRIC ENCRYPTION Mihir Bellare UCSD 1 Syntax A symmetric encryption scheme SE = (K,E,D) consists of three algorithms: K and E may be randomized, but D must be deterministic. Mihir Bellare UCSD 2 Correct

### Certificate Based Signature Schemes without Pairings or Random Oracles

Certificate Based Signature Schemes without Pairings or Random Oracles p. 1/2 Certificate Based Signature Schemes without Pairings or Random Oracles Joseph K. Liu, Joonsang Baek, Willy Susilo and Jianying

### Network Security CS 5490/6490 Fall 2015 Lecture Notes 8/26/2015

Network Security CS 5490/6490 Fall 2015 Lecture Notes 8/26/2015 Chapter 2: Introduction to Cryptography What is cryptography? It is a process/art of mangling information in such a way so as to make it

### The mathematics of cryptology

The mathematics of cryptology Paul E. Gunnells Department of Mathematics and Statistics University of Massachusetts, Amherst Amherst, MA 01003 www.math.umass.edu/ gunnells April 27, 2004 What is Cryptology?

### Cryptography: RSA and the discrete logarithm problem

Cryptography: and the discrete logarithm problem R. Hayden Advanced Maths Lectures Department of Computing Imperial College London February 2010 Public key cryptography Assymmetric cryptography two keys:

### Lecture 5 - Cryptography

CSE497b Introduction to Computer and Network Security - Spring 2007 - Professors Jaeger Lecture 5 - Cryptography CSE497b - Spring 2007 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse497b-s07/

### Thinking of a (block) cipher as a permutation (depending on the key) on strings of a certain size, we would not want such a permutation to have many

Fixed points of permutations Let f : S S be a permutation of a set S. An element s S is a fixed point of f if f(s) = s. That is, the fixed points of a permutation are the points not moved by the permutation.

### Simulation-Based Security with Inexhaustible Interactive Turing Machines

Simulation-Based Security with Inexhaustible Interactive Turing Machines Ralf Küsters Institut für Informatik Christian-Albrechts-Universität zu Kiel 24098 Kiel, Germany kuesters@ti.informatik.uni-kiel.de

### A Proposal for an ISO Standard for Public Key Encryption (version 2.1)

A Proposal for an ISO Standard for Public Key Encryption (version 2.1) Victor Shoup IBM Zurich Research Lab, Säumerstr. 4, 8803 Rüschlikon, Switzerland sho@zurich.ibm.com December 20, 2001 Abstract This

### In this paper a new signature scheme and a public key cryptotsystem are proposed. They can be seen as a compromise between the RSA and ElGamal-type sc

Digital Signature and Public Key Cryptosystem in a Prime Order Subgroup of Z n Colin Boyd Information Security Research Centre, School of Data Communications Queensland University of Technology, Brisbane

### QUANTUM COMPUTERS AND CRYPTOGRAPHY. Mark Zhandry Stanford University

QUANTUM COMPUTERS AND CRYPTOGRAPHY Mark Zhandry Stanford University Classical Encryption pk m c = E(pk,m) sk m = D(sk,c) m??? Quantum Computing Attack pk m aka Post-quantum Crypto c = E(pk,m) sk m = D(sk,c)

### Provable-Security Analysis of Authenticated Encryption in Kerberos

Provable-Security Analysis of Authenticated Encryption in Kerberos Alexandra Boldyreva Virendra Kumar Georgia Institute of Technology, School of Computer Science 266 Ferst Drive, Atlanta, GA 30332-0765

### Outline. Cryptography. Bret Benesh. Math 331

Outline 1 College of St. Benedict/St. John s University Department of Mathematics Math 331 2 3 The internet is a lawless place, and people have access to all sorts of information. What is keeping people

### Lecture 13. Lecturer: Yevgeniy Dodis Spring 2012

CSCI-GA.3210-001 MATH-GA.2170-001 Introduction to Cryptography April 18, 2012 Lecture 13 Lecturer: Yevgeniy Dodis Spring 2012 This lecture is dedicated to constructions of digital signature schemes. Assuming

### Digital Signatures. Murat Kantarcioglu. Based on Prof. Li s Slides. Digital Signatures: The Problem

Digital Signatures Murat Kantarcioglu Based on Prof. Li s Slides Digital Signatures: The Problem Consider the real-life example where a person pays by credit card and signs a bill; the seller verifies

### A Probabilistic Quantum Key Transfer Protocol

A Probabilistic Quantum Key Transfer Protocol Abhishek Parakh Nebraska University Center for Information Assurance University of Nebraska at Omaha Omaha, NE 6818 Email: aparakh@unomaha.edu August 9, 01

### Chapter 12. Digital signatures. 12.1 Digital signature schemes

Chapter 12 Digital signatures In the public key setting, the primitive used to provide data integrity is a digital signature scheme. In this chapter we look at security notions and constructions for this